Bug 1921556 - [OCS with Vault]: OCS pods didn't comeup after deploying with Vault details from UI
Summary: [OCS with Vault]: OCS pods didn't comeup after deploying with Vault details f...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Console Storage Plugin
Version: 4.7
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 4.7.0
Assignee: gowtham
QA Contact: Rachael
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-28 07:41 UTC by shylesh
Modified: 2023-09-15 00:59 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 15:57:05 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 8008 0 None closed Bug 1921556: Modified certificate secrets key name as per rook 2021-02-16 13:08:46 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:57:23 UTC

Comment 2 gowtham 2021-02-01 04:24:27 UTC
Need a proper bug description and reprodusable steps to debug this issue further.

Comment 5 gowtham 2021-02-01 16:15:34 UTC
The existing UI is creating secrets for certificates with the following key names:

  for  ocs-kms-client-key ->  tls.key
  
  for  ocs-kms-client-cert->  tls.cert
   
  for  ocs-kms-ca-secret  ->  ca.cert



But rook expecting:

  for  ocs-kms-client-key -> key

  for  ocs-kms-client-cert-> cert

  for  ocs-kms-ca-secret  -> cert

Comment 7 Sébastien Han 2021-02-02 08:22:40 UTC
I'd say that the UI team used something that existed and was different from Rook.
I have been pointing to our Rook doc several times: https://rook.io/docs/rook/v1.5/ceph-cluster-crd.html#vault-kms and it's pretty clear what needs to be done, as stated in the doc:

Each secret keys are expected to be:

VAULT_CACERT: cert
VAULT_CLIENT_CERT: cert
VAULT_CLIENT_KEY: key

Anyway, it's a small fix.

Comment 8 gowtham 2021-02-02 08:43:21 UTC
I dont know where the miscommunication happened is happened in UI, But yes it is a small fix. 
  PR: https://github.com/openshift/console/pull/8008

Comment 13 errata-xmlrpc 2021-02-24 15:57:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Comment 14 Oded 2021-03-01 09:58:05 UTC
Same issue:

Procedure: 
1.Install OCS via UI
2.Configure KMS Settings:
Service Name: vault
IP: https://vault.qe.rh-ocs.com
PORT:8200
TOKEN:***

advanced settings:
CA Certificate: fullchain.pem   
Client Certificate: cert.pem  
Client Private Key: privkey.pem 

3.Check OSD pods status
OSD PODs status is Error

$ oc logs rook-ceph-osd-0-5d459565bd-zq7qk
error: a container name must be specified for pod rook-ceph-osd-0-5d459565bd-zq7qk, choose one of: [osd log-collector] or one of the init containers: [blkdevmapper encryption-kms-get-kek encryption-open blkdevmapper-encryption encrypted-block-status expand-encrypted-bluefs activate expand-bluefs chown-container-data-dir]


$ oc logs rook-ceph-osd-0-5d459565bd-zq7qk -c encryption-kms-get-kek
curl: (60) SSL certificate problem: unable to get issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Comment 15 Oded 2021-03-01 10:17:27 UTC
(In reply to Oded from comment #14)
> Same issue:
> 
> Procedure: 
> 1.Install OCS via UI
> 2.Configure KMS Settings:
> Service Name: vault
> IP: https://vault.qe.rh-ocs.com
> PORT:8200
> TOKEN:***
> 
> advanced settings:
> CA Certificate: fullchain.pem   
> Client Certificate: cert.pem  
> Client Private Key: privkey.pem 
> 
> 3.Check OSD pods status
> OSD PODs status is Error
> 
> $ oc logs rook-ceph-osd-0-5d459565bd-zq7qk
> error: a container name must be specified for pod
> rook-ceph-osd-0-5d459565bd-zq7qk, choose one of: [osd log-collector] or one
> of the init containers: [blkdevmapper encryption-kms-get-kek encryption-open
> blkdevmapper-encryption encrypted-block-status expand-encrypted-bluefs
> activate expand-bluefs chown-container-data-dir]
> 
> 
> $ oc logs rook-ceph-osd-0-5d459565bd-zq7qk -c encryption-kms-get-kek
> curl: (60) SSL certificate problem: unable to get issuer certificate
> More details here: https://curl.haxx.se/docs/sslcerts.html
> 
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.

https://bugzilla.redhat.com/show_bug.cgi?id=1931839

Comment 16 Oded 2021-03-01 10:21:28 UTC
(In reply to Oded from comment #14)
> Same issue:
> 
> Procedure: 
> 1.Install OCS via UI
> 2.Configure KMS Settings:
> Service Name: vault
> IP: https://vault.qe.rh-ocs.com
> PORT:8200
> TOKEN:***
> 
> advanced settings:
> CA Certificate: fullchain.pem   
> Client Certificate: cert.pem  
> Client Private Key: privkey.pem 
> 
> 3.Check OSD pods status
> OSD PODs status is Error
> 
> $ oc logs rook-ceph-osd-0-5d459565bd-zq7qk
> error: a container name must be specified for pod
> rook-ceph-osd-0-5d459565bd-zq7qk, choose one of: [osd log-collector] or one
> of the init containers: [blkdevmapper encryption-kms-get-kek encryption-open
> blkdevmapper-encryption encrypted-block-status expand-encrypted-bluefs
> activate expand-bluefs chown-container-data-dir]
> 
> 
> $ oc logs rook-ceph-osd-0-5d459565bd-zq7qk -c encryption-kms-get-kek
> curl: (60) SSL certificate problem: unable to get issuer certificate
> More details here: https://curl.haxx.se/docs/sslcerts.html
> 
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.

https://bugzilla.redhat.com/show_bug.cgi?id=1931839

Comment 18 Red Hat Bugzilla 2023-09-15 00:59:24 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days


Note You need to log in before you can comment on or make changes to this bug.